Hi Guilhem, On Thu, May 07, 2020 at 01:09:52AM +0200, Guilhem Moulin wrote: > Control: notfixed -1 2016.11.2+ds-1+deb9u3 > > On Wed, 6 May 2020 at 10:36:42 +0200, Elimar Riesebieter wrote: > > please notice the attached note from saltstack! I assume this is not > > integrated into DSA 4676-1, isn't it? > > Ooops yes, 2016.11.2+ds-1+deb9u3 appears to still be vulnerable to > CVE-2020-11652: > > | If you have already applied the patch for Salt 2017.x or earlier, there > | is a follow-up patch to apply. You can download the patch and > | instructions below. **This applies to 2017.x, 2016.x, and 2015.x. This > | does NOT apply to 2018.x, 2019.x, or 3000.x.** > | […] > | - 2016.x <http://em.saltstack.com/WP01MfH790m1QhM00U0s800> > | […] > | The original patch for versions 2017.x and earlier secured against > | arbitrary commands running on Salt minions and eliminated the exposure > | (CVE-2020-11651). This additional patch is required to completely > | resolve arbitrary directory access to authenticated users > | (CVE-2020-11652).
Yes aware of this incomplete fix, and a follow up DSA will go out later today. I would like to get some testing feedback on the stretch packages, if you have such instance https://people.debian.org/~carnil/tmp/salt/stretch/ contains testing packages. Regards, Salvatore